Inquiries, reviews, investigations and court orders in health and social care services
Health and care organisations record information as part of their work and the services they deliver to people.
There are occasions where these records are requested by:
- statutory public inquiries, for example the UK COVID-19 inquiry
- non-statutory public inquiries, investigations and reviews of health and care, for example into the safety or quality of services at a specific hospital or in relation to a type of service across the country
This guidance is aimed at providing health and care services with advice on how to deal with requests from those listed above. It does not cover clinical audits, which are a way to find out if health and care is being provided in line with standards.
- I'm a patient/service user - what do I need to know?
- I work in a health and care organisation - what do I need to know?
- I'm an IG Professional - what do I need to know?
Guidance for patients and service users
There may be times when public inquiries, reviews, investigations or law courts ask to see the health and care information that is held about you by those caring for you (or who have cared for you), for example, your GP practice or hospital clinic. These requests for information are made so that past decisions and events can be examined, and to help make improvements for people seeking care in the future.
Whenever possible, anonymous data, which is data that does not identify you, will be shared instead of information which identifies you as an individual. Confidential information will only be shared if your health and care organisation decide it is necessary and lawful to do so.
Some public inquiries are statutory – this means that the inquiry team has legal powers to obtain confidential information. For example, it is important that information is shared so that lessons are learnt from the UK’s response to COVID-19 to ensure we are better prepared in the event of another pandemic.
For non-statutory public inquiries, reviews and investigations, the information can only be requested. However, where the information is needed to keep people safe from serious harm or death, your health and care organisation will always share it. For example, in the case of the Independent Review of Maternity Services at Shrewsbury and Telford NHS Trust, it was necessary to share confidential information for the review to properly investigate serious complications and deaths resulting from maternity care.
You can check the privacy notice of the organisations caring for you to find out how your information is used.
You can object to your information being shared if it has been requested by a non-statutory public inquiry, review or investigation. You will need to give specific reasons for your objection. Your health and care organisation will need to consider your objection and they will decide whether to comply with it. You will not be able to object to requests issued by statutory public inquiries because of their importance to the wider public. You will also not be able to object if information is requested by a court.
Guidance for healthcare workers
There may be times when public inquiries, reviews, investigations, or law courts request to see the health and care records that you hold for individuals in your care. It is important to comply with these requests and you must work with your information governance (IG) team, senior staff or Caldicott Guardian to respond to them so that information is shared in a lawful way.
Where records are requested, they must not be altered, amended or disposed of, so those dealing with the review, inquiry, investigation or court order know they are accessing the original, genuine records.
Statutory public inquiries
Statutory public inquiries are established to investigate issues of serious public concern. A statutory public inquiry has legal powers to require information. You must comply with any formal request that you receive from a statutory public inquiry or explain to the inquiry why you cannot provide the information requested, for example, you do not hold the requested information.
Where the disclosure of personal or confidential information is in response to a formal request for information from a statutory public inquiry, data protection laws will not be breached. In addition, patient or service user consent is not required because the statutory public inquiry has legal powers to require the information. See the IG professionals’ section for more information.
If you have any concerns or questions regarding the request from the statutory public inquiry, are not sure if the inquiry is a legitimate public inquiry or you are unsure how to answer a question from a patient or service user you should engage with your IG team, senior staff or Caldicott Guardian.
Non-statutory public inquiries, investigations and reviews related to patient safety
Non-statutory public inquires, investigations and reviews related to patient safety are often instigated when:
- something has gone wrong
- something may have gone wrong – a near miss incident
- there is a desire to learn more about the safety of a service in order to support improvement in the safety of care
These inquiries, reviews and investigations may be:
- internal, for example a hospital board could conduct an internal investigation following an increased number of deaths in one of its departments, or
- external, for example a safeguarding board may undertake an external review to investigate safeguarding concerns in relation to patients within your organisation
Whether the request for information comes from an internal or external source, if the purpose of the request is to learn lessons to improve patient safety and prevent serious harm or death, it is important that you share it, even across organisational boundaries. You should consider any requests for information on a case-by-case basis.
Non-statutory public inquiries, independent reviews or investigations allow a level of independence. This can help to ensure that the findings are accurate, unbiased, and objective, or allow for an investigation to take place across multiple services and organisations. The independence comes from the review or investigation being commissioned and conducted by a team which is not part of or affiliated with the organisation(s) related to the incident. An example is the independent investigation into East Kent Maternity and Neonatal Services.
Where confidential information needs to be shared for non-statutory public inquiries, reviews or investigations related to patient safety you should engage with your IG team, senior staff or Caldicott Guardian before sharing information.
Non-statutory public inquiries and reviews that are not related to patient safety
Some inquiries and reviews will relate to aspects of health and care that are not about the safety of patients. An example is the independent review of NHS hospital food. It is less likely that this type of review or inquiry will request confidential information. However, it is possible that such a request will be made. In these circumstances you should check with your IG team, senior staff or Caldicott Guardian before sharing information.
There are 4 main types of court in the English justice system:
Each of these courts may request information from health and care organisations. A request like this is called a court order. A judge can request any information they see as relevant to a case, and you are legally obliged to comply by providing exactly the information requested within the court order. The information should be supplied unredacted, and in its original format where possible, to avoid any doubt about its authenticity.
You will always comply with data protection laws by following a court order. If you cannot comply with the court order, because for example you do not hold the information requested, or you consider the request to be in error or irrelevant, you can work with your IG team, senior staff or Caldicott Guardian to apply to the court to set aside the order. You will need to comply with the subsequent decision made by the judge.
Court orders will usually specify a date when you must present the requested information to the court by or explain why it is not available.
Guidance for IG professionals
You may receive a request for health and care information from a public inquiry, review, investigation or law court. Anyone requesting information for these purposes should be able to demonstrate their legal basis for requesting the information. All disclosures should be reviewed before sharing to ensure that only information relevant to the request is being shared and that any irrelevant information, for example third party data, has been redacted. You should ensure that your organisation’s privacy notice covers the sharing of data for inquiries, reviews, investigations and court orders.
Where records are requested, they must not be altered, amended or disposed of, so the team dealing with the review, inquiry, investigation or court order know they are accessing the original, genuine records. Altering, amending or disposing of records, once requested for disclosure, could be seen as a criminal offence under the Data Protection Act 2018 or the Public Records Act 1958.
Statutory public inquiries
Statutory public inquiries are independent of government and other agencies. They are established to investigate issues of serious public concern. Their powers are established in the Inquiries Act 2005. Inquiries will set out their terms of reference, which set the scope of the inquiry, and these will usually be made public before the inquiry begins.
At the time of writing there are two statutory public inquiries which have requested that large parts of the health and social care sector do not destroy any records that are, or may fall into the remit of the Inquiry:
- The Infected Blood Inquiry - further information about the Inquiry and the records which can be required is on its website
- The COVID-19 Inquiry – a separate piece of guidance on preparing for the COVID-19 Inquiry, which includes frequently asked questions, can be found on the NHS England Transformation Directorate website
The Inquiries Act provides a statutory public inquiry with powers to formally request any relevant information from any person or organisation. As a health or care organisation, you must comply with any formal request from a statutory public inquiry that you receive, known as a Section 21 notice. Alternatively, you must explain to the inquiry why you cannot provide them with the information requested, for example, if you do not hold the information. It is an offence under section 35 to not comply with a formal request for information (without good cause or reason).
Under UK General Data Protection Regulations (GDPR), the lawful bases for health and care organisations to disclose this information are:
- Article 6 (1) (c) legal obligation, in this case compliance with a notice made under section 21 of the Inquiries Act 2005
- Article 9 (2) (g) substantial public interest on the basis of law, to meet the statutory functions of the Inquiry
Where you are relying on Article 9 (2) (g) substantial public interest, you must ensure you have an appropriate policy document in place. The Information Commissioner’s Office (ICO) has produced guidance on what this should cover and a template document.
Confidential patient information and employee records (for example, HR records) are subject to a duty of confidentiality. Where the formal request includes confidential patient information, the lawful basis for providing this under the common law duty of confidentiality is met. This is because the Inquiries Act establishes a statutory obligation for health and care organisations to disclose relevant information to the Chair of a statutory public inquiry when requested. This overrides the duty of confidentiality allowing the disclosure to take place lawfully. Additional steps, such as seeking consent, are therefore not required.
The inquiry team will provide instructions on how to supply the requested information, and by when. You should direct any questions you have regarding the request to the inquiry team.
If you receive an informal request for information from a statutory public inquiry, the legal bases under UK GDPR for processing personal data are:
- Article 6 (1) (e) public task
- Article 9 (2) (g) substantial public interest on the basis of law, to meet the statutory functions of an inquiry
An informal request will not override the duty of confidentiality. Therefore, information will either need to be provided in an effectively de-identified format (for example to provide an aggregated dataset showing numbers of inpatients by age, sex and ethnicity), or a formal section 21 request will need to be made by the statutory public inquiry for confidential information.
Many of the documents of interest to the inquiry, in particular internal working documents and communications, may not contain any confidential patient or employee data, so you can provide these to the inquiry if requested.
You must only provide the specific information requested by the inquiry.
You must retain information that is in scope of an inquiry as set out in its terms of reference. Retaining information for a statutory public inquiry will not breach UK GDPR or the common law duty of confidentiality.
Non statutory public inquiries, investigations and reviews related to patient safety
Health and care organisations must work with any investigation that is considering the safety of the care and support that the organisation has provided. This includes providing records and other information to allow the investigation to carry out its task.
Public inquiries are established by the government. Non-statutory public inquiries are not in scope of the Inquiries Act and therefore do not have the same powers to require information as statutory public inquiries.
Investigations and reviews may be internal, external, or independent. Independent investigations and reviews are carried out by a third party appointed by NHS England or a local commissioner on the basis of the Serious Incident Framework (2015) or its successor the Patient Safety Incident Response Framework (PSIRF) which is being implemented as part of the NHS Patient Safety Strategy. The PSIRF will be used by all services commissioned under the NHS standard contract.
Identifiable information will not always be needed to conduct an investigation, review, or inquiry. Wherever possible information should be either anonymised, or pseudonymised so that those conducting the review would not reasonably be able to identify individuals.
Where personal data is needed, the lawful bases under UK GDPR for processing data is:
Where confidential patient information is required and the information needs to be shared with those not directly involved in an individual’s care, for example, the internal or external investigation or review team, you will need to consider on a case by case basis the purpose of the review, non-statutory public inquiry or investigation and the seriousness of the case.
Where there is an overriding public interest to prevent serious harm in the future, as will be the case with patient safety-related investigations and reviews, then you can share confidential patient information. It is unlikely that their consent to share information would be required in cases of serious harm as the public interest would override any objection.
A non-statutory inquiry, review or investigation may for example be looking at events that have led to death or serious harm and identifiable information must be used to link an affected individual’s records to understand the full events leading to harm.
Where an organisation undertakes an internal investigation in response to a complaint, the common law duty of confidentiality is met with the implied consent of the complainant. This is because the complainant has a reasonable expectation that their data will be shared with relevant managers and senior staff, including staff who were not part of the original care team, to ensure a fair and independent investigation.
Where complaints relate to third parties (for example, a family member complaining about the treatment their relative has received), then the complainant will need to provide evidence they have the consent of their relative to submit the complaint, or the health or care organisation will need to confirm consent with the relative, in order to investigate the complaint. If the relative does not provide consent, then the complaint cannot be investigated.
In addition to this, organisations involved in the individual’s care pathway (for example the ambulance service) may share information if it is relevant to the organisation handling the complaint (for example a hospital trust) as this would also fall under the reasonable expectation of the complainant.
You should be transparent about how information will be shared when a complaint is made in your complaints policy.
Non statutory public inquiries, investigations and reviews that are not related to patient safety
Identifiable information is unlikely to be needed to conduct a review or inquiry into issues that do not directly concern the safety of healthcare, for example a review into hospital food. Wherever possible information should be either anonymised, or pseudonymised so that those conducting the review would not reasonably be able to identify individuals.
Where a non-statutory public inquiry, review or investigation does not relate to patient safety and confidential information is required then you cannot rely on implied consent to share with those not directly caring for an individual, and it is unlikely to be in the overriding public interest. In this circumstance you will need to anonymise the data or seek explicit consent.
Each of the four main types of court in the English justice system (the criminal, civil, family, and coroner’s) may request information from health and care organisations in the form of a court order. A judge can request any information they see as relevant to the case, and you must comply by providing exactly the information requested within the court order, in its original format where possible to avoid any doubt about the authenticity of the record.
Under UK GDPR, the legal bases for processing information for court orders are:
- Article 6 (1) (c) legal obligation
- Article 9 (2) (f) legal claims, or courts acting in their judicial capacity
A court order will also satisfy the common law duty of confidentiality, where the request would involve the disclosure of confidential patient information as disclosure is legally required.
Court orders will usually specify a date by when you must present the requested information to the court or explain why it is not available.
You will always be compliant with data protection law by following a court order. Failure to comply with a court order may result in you being found in contempt of court and incurring unnecessary legal costs.
If you cannot comply with the court order you will need to apply to the court requesting a hearing. You might not be able to respond for example because you do not hold the information requested, or you consider the request to be in error or irrelevant to the case in question. The hearing is an opportunity for you to present a statement to the court explaining your reasons to set aside the order. The judge will decide, and you must comply with their decision.